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Abstract 

This paper presents a recursive secret sharing technique that dis- 
tributes k — 1 secrets of length 6 each into n shares such that each share 
is effectively of length • b and any k pieces suffice for reconstructing 
all the k — 1 secrets. Since is near the optimal factor of n/k, and 
can be chosen to be close to 1, the proposed technique is space efficient. 
Furthermore, each share is information theoretically secure, i.e. it does 
not depend on any unproven assumption of computational intractability. 
Such a recursive technique has potential applications in secure and reliable 
storage of information on the Web and in sensor networks. 

1 Introduction 

Conventional secret sharing schemes, although information theoretically secure, 
are space inefficient. Thus fc-out-of-n secret sharing techniques have a "blow- 
up" factor of n, i.e. sharing a secret of size b requires a total storage space of 
size b ■ n. 

In order to improve space efficiency, computational secret sharing techniques 
have been developed [TJ [2j [3l [4] in which a symmetric key is used to encrypt 
the original secret and the key is split into shares using conventional methods 
of secret sharing. The encrypted secret is divided into pieces to which redun- 
dancy is added by the use of block error correction techniques [SJ [7] . This 
leads to a n-fold increase in key size, pieces of which have to be stored with 
every share of the encrypted secret, hence becoming a overhead. Moreover, this 
reduction in storage is achieved by relaxing the security requirements, since the 
computational security is weaker than information theoretic security [7] . 

Consequently, we ask whether it is possible to improve space efficiency of 
secret sharing techniques while maintaining information theoretic security. This 
question is answered, herein, in the affirmative by proposing a secret sharing 
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scheme that encodes k—1 secrets in n shares compared to conventional methods 
of encoding 1 secret in n shares, thus increasing space efficiency and maintaining 
information theoretic security. 

In an earlier paper [S], a 2-out-of-2 (k = 2 and n = 2) recursive scheme for 
secret sharing was proposed. In this method, if k secrets are chosen such that 
they double in size, then all of the smaller secrets can be recursively stored in 
the shares of larger secrets, so that two shares of size 2™ can encode 2™ l+1 — 1 
bits of information. For example, if we are to share 3 secrets s\ — 1, S2 = 01, 
and S3 = 1011, then the two shares for s\ would be D Sl i = and D Sl 2 = 1; 
where exclusive-OR operation is used for secret reconstruction. The shares of 
si can be used to create two shares of S2 as follows: D S2 i — D Sl iO — 00 and 
D S2 2 — 0D Sl 2 = 01. Here D Sl i0 denotes concatenation of share 1 of secret si 
with 0; and 0D Sl 2 denotes concatenation of with share 2 of secret si, and so 
on. Similarly, we can recursively use the shares of S2 to create the shares of S3 : 
D S3 i = D S2l 10 = 0010 and D S3 2 = 10£> S2 2 = 1001. As a result, the final two 
shares for all the three secrets are 0010 and 1001. These shares have recursively 
encoded within themselves the shares of smaller secrets. Consequently, 8 bits of 
shares have encoded 7 bits of secrets. This is in comparison with conventional 
methods that would require 14 bits of shares. Note that the example presented 
here is slightly modified to improve the security of the scheme as compared to 
that presented in [5]. This idea of recursive secret sharing has been extended 
to 2-out-of-n secret sharing in [pj, requiring a n-fold increase in secret sizes at 
each step. 

The schemes presented in [8j |9j that build upon the requirement of n-fold 
increase in secret sizes at each step, only reduce the conventional blow up factor 
of n to n — 1. 

In this paper we relax the requirement of n-fold increase in secret sizes at 
each step and present a general recursive fc-out-of-n scheme that increases the 
efficiency of secret sharing to nearly 100% with no restrictions on increase in 
secret sizes, while maintaining information theoretic security. A result of this 
relaxation on secret sizes is that we are able to reduce the blow factor from 
n to ttzt- In more precise terms, we present a scheme that can store up to 
k—1 secrets of size b each using n shares such that each share is effectively of 
size (jrirj-) • b. This is in comparison with conventional secret sharing schemes 
that store just one secret of size b in n shares, requiring a total storage of size 
n ■ (k — 1) • b for k — 1 secrets. Hence our scheme is near optimal with a blow 
up factor of which can be chosen to be close to 1. Further the scheme 
is information theoretically secure and does not depend on any computational 
assumptions. 

The proposed recursive secret sharing scheme has applications in distributed 
online storage of information discussed in [51 [6]. However, Rabin [5] discarded 
the possibility of using secret sharing schemes because of the n-fold increase 
in storage space required by conventional implementations of secret sharing 
techniques. Since our scheme provides a near optimal way to encode data into 
small shares with no information leakage, it becomes an ideal candidate for use 
in secure online data storage. Such secure data storage scheme is an example of 
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implicit data security since the word implicit conveys the idea that there is no 
explicit encryption of data and no encryption keys are used. Data is so divided 
that each piece is implicitly secure in itself and only reveals information when 
k or more of the pieces are brought together. 

2 Space efficient secret sharing 

Below, we define the terms used in this paper for a (k, n) secret sharing scheme, 
where any k out of n shares suffice to reconstruct the secret. Since we are work- 
ing with information theoretically secure schemes b denotes the size of secret /s 
as well as the size of share. 

Definition 1. Blow-up factor (secret sharing) 

total size of shares 

total size of secret / s encoded by the shares 

_ number of shares x size of a share 
total size of original secret/s 

Definition 2. Blow-up factor (conventional secret sharing) 

_ number of shares x size of a share _ nxb _ 
total size of original sccret/s 6 

Definition 3. Space optimal secret sharing scheme: A secret sharing scheme 
with a blow up factor of where 2 < k < n. This is because for an space 
optimal secret sharing scheme 

number of shares x size of a share nxb n 

total size of original secret /s kxb k 

Definition 4. Space efficient secret sharing scheme: A secret sharing scheme 
that approaches the optimal blow up factor of 

The proposed scheme recursively builds upon Shamir's secret sharing scheme. 
Since it is known that Shamir's scheme is information theoretically secure, the 
proposed scheme is also similarly secure. However, Shamir's scheme generates 
n shares for every single secret, giving rise to a n-fold increase in storage space. 
Whereas, we share k — 1 secrets using n shares resulting in only ^^--fold increase 
in storage space, which is near optimal. 

We first briefly review the scheme presented by Shamir [10] . Note that 
Shamir only encoded one secret s in n shares as discussed in Algorithm 1 . 

Algorithm 1 (Shamir's secret sharing scheme) 

1. Choose a prime p, p > max(s, n), where s £ Z p is the secret. 

2. Choose k — 1 random numbers a\, et 2 , ft/c_i, uniformly and indepen- 
dently, from the field Z p . 
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3. Using a,, 1 < i < (k — 1) and secret s, generate polynomial p(x) of degree 
k - 1, 

= s + a\x + a 2 x 2 + ... + a/ c -ix k ^ 1 (mod p). 

4. Sample p(x) at n points A = p(i), 1 < i < n such that the shares are 
given by (i, A)- 

The reconstruction of the secret is performed by interpolating any k points 
(shares) and evaluating s = p(0). Algorithm 1 is known to be information 
theoretically secure due to the properties of interpolation, which says that k — 1 
shares do not reveal any information. 

Throughout the paper, we work in a finite field Z p , where p is a prime and 
p > max (s max, n), where s max — max(si),l < i < (k — 1), and S\, s 2 , 
Sk-i are the secrets. The shares will be denoted as D Si i, D Si 2, ...,A»m at the 
intermediate stages, where 2 < m < k — 2 and A, A, A at the final stage. 
(Note that, as in Shamir's scheme, D SiTn 's are the y-coordinates only, while the 
respective x-coordinates m's, are implicitly known to all players.) 

The intuition for the proposed scheme is as follows: We randomly and uni- 
formly choose a number a\ £ 1 p and generate I s * degree polynomial p\{x) — 
a\x + s\. Then we sample p\{x) at two points Ail = Pi(l) and D Sl2 — Pi(2), 
to generate two shares for s\. This first step can be viewed as a direct exe- 
cution of Shamir's (2, 2) secret sharing scheme. Next we use these two shares 
of si to generate polynomial p 2 {x) = D Sl 2X 2 + D Sl \x + s 2l where the coeffi- 
cients are the previous two shares and the free term is the new secret. Sampling 
p 2 (x) at three points A 2 i = P2(l), A 2 2 = P2(2), and A 2 3 = P2(3), gener- 
ates three shares of s 2 . We can now delete Ail and Aa because the new 
shares A 2 ii Ai 2 2, and D S23 have the shares of si hidden within themselves. 
We then use the shares of s 2 to create a 3 rd degree polynomial with s 3 as its 
free term and generate shares for s 3 by sampling the newly created polyno- 
mial at 4 points. These four points denoted as A 3 i, A 3 2, A 3 3, and A 3 4 
have the shares of s\, s 2 as well as S3 and therefore A 2 i, A 2 2 and A 2 3 can 
now be deleted. The process is repeated for secrets S4, s 5 , Sk-i by cre- 
ating pa{x), P5(x), ...,pk- 2 (x) and repetitive sampling and reusing of shares 
and deleting the older shares. At the last step, we generate a polynomial 
Pk-i(x) = D Sk _ 2 ( k _ 1) x k ~ 1 + A fc _ 2 (fc-2p fe ~ 2 + ••• + D Sk _ 2l x + s k -i and sample 
it at n points A = Pfc-i(l), A = Pfe-i(2), A = Pk-i(n), such that the 
final shares are given by (i,Di), 1 < i < n. These final n shares have recur- 
sively hidden fc — 1 secrets within themselves. Algorithm 2 illustrates the process. 

Algorithm 2 - Dealing Phase 

1. Randomly and uniformly choose a number a x 6 Z p and generate polyno- 
mial pi(x) = a\x + s\. 

2. Sample pi(x) at two points Ail = Pi(l) and Ai2 = Pi (2), which repre- 
sent two shares of s\. 
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3. Do for 2 < i < (k - 1) 



(a) Generate polynomial, 

Pi(x) = D Si _ li x i + D s ._ l{i _ 1) x i - 1 + ... + D Si _ lX x + Si. 

(b) Sample Pi(x) to create new shares, 

i. If i < k — 1, sample at i + 1 points: 

£>.«i=Pi(l) 
D Si2 = Pi (2) 

D si(i+i) =Pi(i + l)- 

ii. If i = k — 1, sample at n points: 

I>i=Pi(l) 
D 2 =Pi(2) 

D n =Pi(n). 

(c) If i < k — 1, delete old shares: A^-ii; D Si _ l2 , D Si _ li . 
4. The final n shares are explicitly given by (i, Di), 1 < i < n. 

For a the trivial case of just one secret s\ and a (2, n) secret sharing, the 
algorithm stops at step 2, where we sample the polynomial of first degree p\{x) 
at n-points to create n shares such that any 2 of the shares can reconstruct s\. 

Algorithm 2 - Reconstruction Phase 

1. Interpolate any k shares (i, Di) to generate the polynomial of degree k— 1, 
Pk-i(x) = -Dsfc^fc-i)^ 1 + D Sk2(k _ 2 )X k ~ 2 + ... + D Sk _ 2l x + s fc _i 

and evaluate Sk~i =Pk-i(0). 

2. Do for alH = k — 2 down to 1 

(a) Interpolate i+1 shares given by (m+1, £> s .( m+1 )), < m < i obtained 
from coefficients of pi + i(x) to generate polynomial of degree i, 
Pi(x) = D s% _ xi x % + D s ._^i_^x l ~ l + ... + D s% _ xl x + Si. 

(b) Evaluate Si =pi(0). 

As seen above the reconstruction of secrets is straightforward. Any k of the 
players can interpolate the polynomial of degree k — 1 such that the free term 
represents Sk-i = Pfc-i(O). Then using the k — 1 coefficients of this polynomial 
as points (leaving out the free term which is Sk-i), interpolate the polynomial 
of degree k — 2 to obtain Sk-2- This process is repeated until we obtain s\. 

Algorithm 2 has clearly been able to share k — 1 secrets among n players 
such that every k of them can interpolate all the k — 1 secrets. Therefore, the 
blow up factor has been reduced to o- 
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Theorem 1 Algorithm 2 generates information theoretically secure shares. 

Proof The proof builds up on the security of Shamir's secret sharing scheme. 
We know that Shamir's scheme is information theoretically secure. Note that 
step 1-2 in Algorithm 2 may be viewed as (2, 2) Shamir's secret sharing scheme. 
As a result, the shares for s\, i.e. D Sl i and D Sl 2 are information theoretically 
secure. In other words, given any number r E Z p , Pr(r = D Sl i) = Pr(r = 

Moreover, since a\ is randomly and uniformly chosen from the field, D sil 
and D Sl 2 can be viewed as random numbers. These shares are then used as 
random coefficients to generate a (3,3) Shamir's secret sharing scheme, with 
secret s 2 as the free term. The shares of s 2 from (3,3) Shamir's scheme encode 
the shares of si within themselves and can be used as coefficients to create a 
(4,4) Shamir's scheme with S3 as the free term. Now, the shares S3 from the 
(4,4) Shamir's scheme encode the shares of si and S2 in themselves. We then 
use these new shares to generate a (5,5) Shamir's with s 4 as the free term and 
so on. This process is repeated until we reach a (k — 1, k — 1) Shamir's scheme 
and have encoded k — 2 secrets. 

At this point, we use the shares of Sfc_ 2 as coefficients to generate a (k — l) th 
degree polynomial pk-i{x) with Sk~i as the free term. We then sample pk-i(x) 
at n-points, i.e. a (k, n) Shamir's scheme. Note that these final n-points (shares) 
encode the shares of k — 1 secrets within themselves. 

Our algorithm is recursive and given that the (2,2) Shamir's scheme is secure, 
Algorithm 2 generates information theoretically secure shares. □ 

Example. Let si = 17, s 2 = 28, s 3 = 5, and S4 = 12 be four secrets that 
are to be shared between 7 players such that any 5 of them can reconstruct all 
the 4 secrets. Let prime p = 31. 

Dealing phase. 

1. Randomly and uniformly choose a number a\ 6 Z p . Let ai = 22. Generate 
polynomial, pi(x) = a\x + si = 22.x + 17 (mod 31). 

2. Sample p\{x) at two points to generate two shares of secret s\, i.e. D Sl i — 
Pi(l) = 8and£> Sl2 = Pl (2) = 30. 

3. Generate polynomial P2(x) = D si2 x 2 + D si ix + s 2 = 30x 2 + 8x + 28. 

4. Sample p 2 (a;) at 3 points to generate three shares of s 2 , i.e. D S2 i =p 2 (l) = 
4, D S22 = p 2 (2) = 9, and D S23 = p 2 (3) = 12. 

5. Delete Z? Sl i and D Sl 2- 

6. Generate polynomial ^3(2;) = D S23 x 3 + D S22 x 2 + D S2 \x + s 3 = 12.t 3 + 
9x 2 + 4x + 5. 

7. Sample ^3(2;) at 4 points to generate four shares of S3, i.e. D S3 i = pz{l) = 
30, D S32 = pa(2) = 21, D S33 = p3(3) - 19, and D S , A - p 3 (4) = 3. 
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8. Delete D S2 i, D S22 , and D S23 . 

9. Generate polynomial 

Pi(x) = D SaA x A + D S33 x 3 + D S32 x 2 + D S3l x + s 4 = 3x 4 + 19a; 3 + 21a; 2 + 
30a; + 12. 

10. Sample Pi(x) at 7 points, which represents the final 7 shares. Hence, 
D x = p 4 (l) = 23, D 2 = p 4 (2) - 15, £ 3 = p 4 (3) - 24, £) 4 = p 4 (4) = 3, 
£> 5 = p 4 (5) = 8, L» 6 = p 4 (6) = 12, and D 7 = Pi (7) = 29. 

11. Delete £> S3 i, £> S3 2, £> S3 3, and L> S34 . 

The final seven shares are given by (1,-Di) = (1,23); (2, D2) = (2,15); 
(3,D 3 ) = (3,24); (4,£) 4 ) = (4,3); (5,D B ) = (5,8); (6,D 6 ) = (6,12); and 
(7,D 7 ) = (7,29). 

Reconstruction phase. 

All the four secrets can be reconstructed using any 5 out of 7 final shares. 

Using 5 shares, say (1,23), (3,24), (4,3), (5,8), and (7,29), we can inter- 
polate the A th degree polynomial P i{x) = 3x 4 + 19x 3 + 21a; 2 + 30a; + 12 (mod 
31), thus retrieving secret s 4 (the free term of the polynomial) by evaluating 
Si = Pi{0). 

Then extracting the coefficients of p&{x) and using them as y-coordinates of 
points x=l, 2, 3, and 4, i.e. (1, 30), (2, 21), (3, 19), and (4, 3) we can regenerate 
the 3 rd degree polynomial pz{x) = 12a; 3 + 9a; 2 + 4a; + 5 by interpolation and 
retrieve the s 3 as the free term. s 3 =p 3 (0). 

The coefficients of p${x) are then used as points (1,4), (2,9), (3,13) to 
interpolate P2(x) = 30x 2 + 8x + 28 and reconstruct s 2 = £2(0). 

The coefficients of P2(x) are used as (1,8) and (2, 30) to interpolate p\(x) = 
Tlx + 17 and reconstruct s± = pi(0). 

The algorithm simulates a Last In First Out (LIFO) data structure. 

3 Conclusions 

We have presented a recursive scheme that distributes k — 1 secrets amongst n 
individuals. The scheme is general and it places no restriction on the secret size. 
Since this method builds upon Shamir's secret sharing scheme, it is information 
theoretically secure. It has a blow up factor of which is near the optimal 
blow up factor of ? and represents a significant improvement over conventional 
secret sharing schemes. 

The proposed scheme has applications in secure distributed storage of infor- 
mation on the Web and in sensor networks. 
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